[PATCH] Treat pkcs11 TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED as a transient failure.

Jouni Malinen j at w1.fi
Sat Feb 28 02:54:28 EST 2015

On Sat, Feb 21, 2015 at 04:37:58PM -0800, Mike Gerow wrote:
> This can get returned by modules that simply aren't ready yet, so just throwing
> away the pkcs11 pin doesn't really make sense.
> This also addresses a problem where an error condition isn't communicated to the
> caller appropriately in this specific case.

Please read the top level CONTRIBUTIONS file and provide a
Signed-off-by: line at the end of the commit message. I won't be able to
apply changes to hostap.git without that.

As far as the change itself is concerned, I could agree with this if the
error was indeed caused by the module not being ready. However, I'm
concerned about the original reason why this functionality and comment
was added.

> diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
>  		/*
> -		 * At this point with the pkcs11 engine the PIN might be wrong.
> -		 * We reset the PIN in the configuration to be sure to not use
> -		 * it again and the calling function must request a new one.
> +		 * This generally means whatever we're talking to through
> +		 * PKCS#11 simply isn't ready and should be treated as a
> +		 * transient failure.
>  		 */
> -		os_free(config->pin);
> -		config->pin = NULL;

So what if this error was indeed caused by PIN being incorrect? Wouldn't
that result in that same incorrect PIN being tried again every time the
connection is attempt? I'd assume that could result in the PIN getting
locked which is quite undesirable.

It would look useful to split the TLS_SET_PARAMS_ENGINE_PRV_INIT_FAILED
return value to at least two different values where one of them would
indicate the possibility of the PIN being wrong and that one getting
this existing behavior.

> +		sm->ignore = TRUE;
> +		return -1;

While this new behavior would be used for the case where the PIN has not
been used and the failure was due to PKCS#11 not being ready.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list